SandBox Module is a security measure in the Java development environment. The sandbox is a set of rules that are used when creating an applet that prevents certain functions when the applet is sent as part of a Web page. When a browser requests a Web page with applets, the applets are sent automatically and can be executed as soon as the page arrives in the browser. If the applet is allowed unlimited access to memory and operating system resources, it can do harm in the hands of someone with malicious intent. The sandbox creates an environment in which there are strict limitations on what system resources the applet can request or access. Sandboxes are used when executable code comes from unknown or untrusted sources and allow the user to run untrusted code safely.
Monday Nov 17, 2008
SandBox Module is a security measure in the Java development environment. The sandbox is a set of rules that are used when creating an applet that prevents certain functions when the applet is sent as part of a Web page. When a browser requests a Web page with applets, the applets are sent automatically and can be executed as soon as the page arrives in the browser. If the applet is allowed unlimited access to memory and operating system resources, it can do harm in the hands of someone with malicious intent. The sandbox creates an environment in which there are strict limitations on what system resources the applet can request or access. Sandboxes are used when executable code comes from unknown or untrusted sources and allow the user to run untrusted code safely.
Sunday Nov 16, 2008
Hehe, just wanna take a rest.
Thursday Oct 30, 2008
Get the skills you need for the best jobs. Through the Sun Academic Initiative (SAI), students are able to get free web-based training on Sun technologies and master the skills to fast-track their career. Leverage Sun's industry leading expertise and latest innovations to expand your knowledge of these leading technologies:
- Java technology
- Solaris OS system administration
- Java Enterprise System infrastructure products
- StarOffice productivity suite
Tuesday Oct 14, 2008
Wednesday Oct 01, 2008
*** YOU ARE INVITED and REGISTRATION IS OPEN FOR THE...
*** SUN HPC (High Performance Computing) CONSORTIUM AUSTIN-USA 2008
*** Nov 15th, 16th and Nov.17th, 2008
*** UPDATE: Please see the completed Sun HPC Consortium agenda at the end of this invitation.
SC08 Sun Consortium Event and Registration site: https://events-at-sun.com/hpc-austin08
[Read More]
Tuesday Sep 30, 2008
Try to use BC Crypto APIs to implement the crypto core function in my system. The point is how to implement ECDSA in mobile device. The speed is a more complicated issue. Generating Key for ECDSA should be solved in this week.
http://www.bouncycastle.org/ contribute somethings to you:
The Bouncy Castle Crypto APIs for Java consist of the following:
A lightweight cryptography API for Java and C#.
A provider for the Java Cryptography Extension and the Java Cryptography Architecture.
A clean room implementation of the JCE 1.2.1.
A library for reading and writing encoded ASN.1 objects.
A light weight client-side TLS API.
Generators for Version 1 and Version 3 X.509 certificates, Version 2 CRLs, and PKCS12 files.
Generators for Version 2 X.509 attribute certificates.
Generators/Processors for S/MIME and CMS (PKCS7/RFC 3852).
Generators/Processors for OCSP (RFC 2560).
Generators/Processors for TSP (RFC 3161).
Generators/Processors for OpenPGP (RFC 2440).
A signed jar version suitable for JDK 1.4-1.6 and the Sun JCE.
Sunday Sep 28, 2008
Here is what my thesis lay on. I am currently working towards building the demo system. The system is implemented by Java ME and Java web application. I use NetBeans to program.
Nowadays, the evolution of wireless networks’ and mobile devices’ technology increases concerns about performance and security of mobile payment system. In this research, we propose a new secured platform for two-party mobile payment, e.g. mobile banking. The proposed platform employs a lightweight public-key cryptography, ECDSA and a multifactor authentication mechanism, together with a Transaction Log strategy to satisfy the properties of confidentiality, authentication, integrity and non-repudiation, which are required by any secured payment infrastructure. Compared to some existing mobile payment platforms, our platform is a lightweight secured mechanism that is more suitable for twoparty banking transactions over resource-limited mobile devices.
Copyright @ 2007 - 2009 Yunpu Zhu
Monday Aug 18, 2008
If I stored a private key in a tamper-resistant hardware, which can be plug-in with my mobile device, how can I use J2ME to read and operate this private key? Comparing with RMS, which is better choice for security of mobile transaction?
What is tamper-resistant hardware?
One part of designing a secure computer system is ensuring that various cryptographic keys can be accessed only by their intended user(s) and only for their intended purposes. Keys stored inside a computer can be vulnerable to use, abuse, and/or modification by an unauthorized attacker. For a variety of situations, an appropriate way to protect keys is to store them in a tamper-resistant hardware device. These devices can be used for applications ranging from secure e-mail to electronic cash and credit cards. They offer physical protection to the keys residing inside them, thereby providing some assurance that these keys have not been maliciously read or modified. Typically, gaining access to the contents of a tamper-resistant device requires knowledge of a PIN or password; exactly what type of access can be gained with this knowledge is device-dependent. Some tamper-resistant devices do not permit certain keys to be exported outside the hardware. This can provide a very strong guarantee that these keys cannot be abused: the only way to use these keys is to physically possess the particular device. Of course, these devices must actually be able to perform cryptographic functions with their protected keys, since these keys would otherwise be useless. Tamper-proof devices come in a variety of forms and capabilities. One common type of device is a ‘smart card,’ which is approximately the size and shape of a credit card. To use a smart card, one inserts it into a smart card reader that is attached to a computer. Smart Cards are frequently used to hold a user’s private keys for financial applications; Mondex is a system that makes use of tamper-resistant hardware in this fashion. [1] Frequently Asked Questions about Today's Cryptography, RSA Laboratories. version 4.1
Thursday May 29, 2008
Is there anybody who is familiar with PKI and the PKI implementation on mobile communication? I tried to build up a lightweight infrastructure to keep the security for mobile transaction. If you have any comments or information about mobile payment/transaction security or PKI, symmetric-key, public-key etc, or some implementation research based on JavaME/JavaEE, please feel free to leave them here. Also you can reach me via email: yunpu.zhu-AT-sun-DOT-com
------------------------------------------------------------------------Thanks
In cryptography, a public key infrastructure (PKI) is an arrangement that binds public keys with respective user identities by means of a certificate authority (CA). The user identity must be unique for each CA. The binding is established through the registration and issuance process, which, depending on the level of assurance the binding has, may be carried out by software at a CA, or under human supervision. The PKI role that assures this binding is called the Registration Authority (RA) . For each user, the user identity, the public key, their binding, validity conditions and other attributes are made unforgeable in public key certificates issued by the CA.
The term trusted third party (TTP) may also be used for certificate authority (CA). The term PKI is sometimes erroneously used to denote public key algorithms, which do not require the use of a CA.
PKI arrangements enable computer users without prior contact to be authenticated to each other, and to use the public key information in their public key certificates to encrypt messages to each other.[1] In general, a PKI consists of client software, server software, hardware (e.g., smart cards), legal contracts and assurances, and operational procedures. A signer's public key certificate may also be used by a third-party to verify the digital signature of a message, which was made using the signer's private key. In general, a PKI enables the parties in a dialogue to establish confidentiality, message integrity and user authentication
without having to exchange any secret information in advance, or even
any prior contact. The validity of a PKI between the communicating
parties is, however, limited by practical problems such as uncertain
certificate revocation, CA conditions for certificate issuance and
reliance, variability of regulations and evidentiary laws by
jurisdiction, and trust.[2]
These problems, which are significant for the initial contact, tend to
be less important as the communication progresses in time (including
the use of other communication channels) and the parties have
opportunities to develop trust on their identities and keys.[2]
Monday Jan 14, 2008
The Third Sun Tech Talk in the University of Lethbridge will be held on Jan 28.
From 12:00 - 12:30 pm
In C620 UHall
Topic : Introduction of OpenSolaris
Refeshment will be available.
Wednesday Dec 05, 2007
Update: Sun Dangles Prize Money over Open-Source Efforts
IDG News, Chris Kanaracus; December 04, 2007
http://www.infoworld.com/article/07/12/04/Sun-dangles-prize-money-over-open-source_1.html
Sun unveils details of its new award program meant to spur growth in the open-source community. Writing on his blog, Sun open-source officer Simon Phipps explains, "We'll be providing a substantial prize purse and working with the communities involved to develop the approach that works best.” The program involves the OpenSolaris, GlassFish, OpenJDK, OpenSPARC, NetBeans and OpenOffice.org communities, and “is a great opportunity for members of these open-source communities to take their passion and creativity and push the innovation boundaries,” according to Phipps.
OpenOffice.org 2.3 Impresses
eWeek, Tiffany Maleshefski; November 28, 2007
http://www.eweek.com/article2/0,1895,2224467,00.asp
eWeek reviews the latest version of OpenOffice.org, version 2.3. The upgrade, which runs on seven operating platforms, including Solaris and Windows, offers improved upgrade paths for Microsoft Office users, new security features, and updates to the suite’s word processing, spreadsheet, presentation and database applications.
Sunday Dec 02, 2007
The second Sun Tech Talk in University of Lethbridge was held on Nov 24. Sorry about the late report. It's near the end of semester. :)[Read More]
LaTeX
LaTeX(LATEX,音译“拉泰赫”)是一种基于TeX的排版系统,由美国计算机学家Leslie Lamport在20世纪80年代初期开发,利用这种格式,即使使用者没有排版和程序设计的知识也可以充分发挥由TeX所提供的强大功能,能在几天,甚至 几小时内生成很多具有书籍质量的印刷品。对于生成复杂表格和数学公式,这一点表现得尤为突出。因此它非常适用于生成高印刷质量的科技和数学类文档。这个系 统同样适用于生成从简单的信件到完整书籍的所有其他种类的文档。
摘自中文维基百科-LaTeX条目。[Read More]
LaTeX(LATEX,音译“拉泰赫”)是一种基于TeX的排版系统,由美国计算机学家Leslie Lamport在20世纪80年代初期开发,利用这种格式,即使使用者没有排版和程序设计的知识也可以充分发挥由TeX所提供的强大功能,能在几天,甚至 几小时内生成很多具有书籍质量的印刷品。对于生成复杂表格和数学公式,这一点表现得尤为突出。因此它非常适用于生成高印刷质量的科技和数学类文档。这个系 统同样适用于生成从简单的信件到完整书籍的所有其他种类的文档。
摘自中文维基百科-LaTeX条目。[Read More]
Tuesday Nov 27, 2007
Totally from my personal interests. It's a good guide to how to demo software. Joel sometimes provide us some hint.
http://www.joelonsoftware.com/items/2007/11/16.html
[Read More]Tuesday Nov 20, 2007
The first presentation of Sun Tech Talk in University of Lethbridge was done successfully in the afternoon on Nov 20, 2007. There were 31 audiences taking part in the talk, with topic of Netbeans6.0 and Visual Mobile Application. See the content in detail and some pictures.
[Read More]
This blog copyright 2009 by Yunpu Zhu
